This chapter is from the book

This chapter is from the book

The Security Policy

As mentioned before, the security policy encompasses both the rule base that
dictates what traffic is allowed, and the global properties that introduce
additional behavior into the firewall.

A firewall administrator should understand how to develop a rule base, and
how to manage the global properties to effectively secure the network.

A Skeleton Rule Base

Check Point recommends that there be a few standard rules in your rule base,
for both security reasons and ease of management.

The first recommended rule is the stealth rule. The purpose of the stealth
rule is to disallow any communication to the firewall itself, protecting it from
attacks. This rule should be placed near the top of the rule base, with the only
rules above it being those that permit or require access to the firewall.

A stealth rule looks like the one shown in Table 3.2.

Table 3.2 The Stealth Rule

Source

Destination

Service

Action

Track

Install On

Time

Any

Firewalls

Any

Drop

Log

Policy Targets

Any

Here, the stealth rule matches anything pointed at the firewall
itself and drops it with a log entry. The Firewalls object is assumed to be a
group containing all the Check Point objects under management.

Check Point also recommends the use of a cleanup rule, which drops and logs
all traffic not caught by other rules. Recall that the default behavior of
FireWall-1 is to drop any packet that is not explicitly permitted, without
logging it. From a security and troubleshooting standpoint, having a log of
dropped packets is extremely beneficial. Table 3.3 shows the cleanup rule.

Table 3.3 The Cleanup Rule

Source

Destination

Service

Action

Track

Install On

Time

Any

Any

Any

Drop

Log

Policy Targets

Any

Note that the rule specifies Any for the Source, Destination,
and Service fields. Any packet that doesn’t get matched by a previous rule
will be matched by this one. Because the action is set to Log, you will have a
record of the packet details.

Implicit and Explicit Rules

Normally only the rules you enter are shown in the rule base. These are
called explicit rules, because they were created explicitly. However, there are
many rules that are also enforced by the firewall that you do not see. These are
called implicit rules (or implied rules), and they either are a part of every
policy or are added and removed as part of features and options that you
configure in other parts of the interface.

To view the implicit rules, pull down the View menu and select Implied
Rules.

CAUTION

You’re viewing the implicit rules, but the menu option says
Implied.

Whether or not you are viewing the implicit rules has no bearing on what gets
pushed out to the enforcement points. All enforcement points receive the implied
rules, and they cannot be disabled.